Advanced Cyber Defense - Dell EMC Germany · Grey Goose Stuxnet Australian . Mining . Taidoor . RBA...

1 © Copyright 2013 EMC Corporation. All rights reserved.

Advanced Cyber Defense A Readiness, Response & Resilience (R3)

Strategy for Targeted Attacks

Azeem Aleem- Manager Advanced Cyber Defense, EMEA

https://community.emc.com/servlet/JiveServlet/downloadImage/102-32816-3-77831/RSA+Security+Summit+graphic.jpg


ACD Service Portfolio

Readiness, Response & Resilience

Strategy & Roadmap

Incident Response

Cyber Threat Intelligence

Vulnerability Risk Management

Security Operations Management

NextGen SOC Design & Implementation


Cyber attacks are real and growing The internet enables remote attacks with lower risk of detection

2003 2006 2009 2012

Titan Rain

Aurora PLA Unit 61398 recruitment scholarships Night

Dragon

Shady RAT

Grey Goose Stuxnet

Australian Mining

RBA Taidoor

Safe

Duqu

Comodo

Black Tulip

Nitro IMF

RSA

Lockheed Martin

2004 2005 2007 2008 2010 2011 2013

Ghost Net

Nortel

State Dept.

US Naval War College

Oak Ridge

Los Alamos

Commerce Secretary

Estonia

Red October


Challenge: Organizations are not ready Security Market Sizing (excl. Services)

$0

$5.000

$10.000

$15.000

$20.000

$25.000

$30.000

$35.000

$40.000

2013 2014 2015 2016 2017

Hardware &Software

SpecializedThreatAnalysis &Protection

$000,000

Gartner, 2013

IDC, 2013

Source: 2013 VDB Investigations Report

• In 84% of cases, the initial compromise took hours – or even less.

• In 66% of cases, the breach wasn’t discovered for months – or even years.

• In 22% of cases, it took months to contain the breach.


Incident Response? Implementation of Proactive Cyber Compliance and Regulation?

Understand the Threat :Learning from our mistakes- DIY syndrome?

A Case for Intelligence Driven Security ?


SIEM Platform

Security Team Reviews Signature Based Alerts

What we see Why organizations are not ready

Desktop Support Team

Signature Based Tools

Fire Wall

Virus

SIEM GENERATES AN ALERT

Proxy

IDS/IPS

Log Alerts

Log Alerts

Log Alerts

Log Alerts

•No formal processes •No incident management system, no metrics •Ad-hoc (email) communication •Flat Team Structure •Tool break/fix competes with analysis & response •No / Minimal Analysis •No closure step on reported incidents


There’s no such thing as an isolated incident

Behind every major

safety incident, there are 29 minor

incidents, 300 near misses and thousands of bad practices

See and manage the whole incident space - not just the exceptions


Applying ACD to the Breach Cycle

ADVANCED CYBER

DEFENSE APPROACH

CYBER CYCLE

BREACH EXPOSURE TIME

“BET”

Data Exfiltration

Late Detection

Threat Vector “Malware”

(Undetected)

Cyber Kill Chain

“Breach Life Cycle”

Establish Network Foothold

Target Threat Visibility &

Mitigation Goal


RSA ACD Services Portfolio Control mapping for Readiness, Response & Resilience (R3)

Intelligence Value

High

High

Low

Defense Effectiveness

Packet Analysis

Strong Authentication

SIEM

DLP

SSO

Change Control

Firewalls

IDS\IPS

Training & Awareness

Policy, Standards &

Guidelines

Host Analysis

Physical Security

Network Encryption

Vulnerability Management

File Encryption

Disk Encryption

Patch Management

Vendor / MSSP Governance

Low

File Analysis

Large investments here!

Not enough being invested

here!

Workflow Automation

Threat Intelligence

Anti Virus

Background Checks

SOC Procedures

Risk Assessment

Readiness

Response

Resilience

ACD Approach (R3): Enhance Readiness Accelerate Response Sustain Resilience


Single UI

Incident Management & Reporting

Visibility

Security Architecture

Team

Device Administration

Data Warehouse &

Ticketing System

IT Team

What We Need Intelligence driven model for Readiness, Response & Resilience

Workflow & Automation,

Rules, Alerts & Reports

Threat Triage

Analytic Intelligence Content Intelligence

Expertise

Level 1 Triage

Level 2 Triage

Level 3 Triage

Threat Intelligence

Controls

A/V IDS/IPS

Firewall/VPN Proxy

Packets Host File

DLP

SIEM Log Alerts

DLP Alerts

Signature less Alerts

Context

Business Context

Risk Context

Threat Context

Line of Business Owner Policy

Assessments Criticality

Vulnerability

Subscriptions Community

Open Source


IPS

NextGen SOC

Incident Management

Dashboard

Metrics & Reporting

ALERTS, THREATS AV

IPS

WEB

FW

Log Capture & Analysis

VMS DATA

CONFIG DATA

ASSET DATA

Security Monitoring & Analytics

Full Packet Capture & Analysis

INTEL

INTEL

INTEL

INTEL

CONTEXT, NEW INTEL

COMMUNITY INTEL

DLP Data & Incidents

Business Continuity Management Module

Threat Management Module

Risk Management Module

Incident Management Module

Tier 2&3 INTEL

Custom Threat Intel Portal

Advanced Security Operations (After)


• Formally documented processes and procedures • Specific roles and responsibilities

- Team structure with specialization - Formal workflow supported by process

• Threat monitoring improved - Formal development of Monitoring Use Cases - Higher-value assets monitored more closely - Threat intelligence feeds detection processes

• Incident management system maintains records • Metrics to show threat trends and team performance

Benefits of “Intelligence-Driven” SOC


Operations Effectiveness Trending

Operations &

Reporting



0

1

2

3

4

5

BusinessAlignment

RiskAlignment

ContentIntelligence

AnalyticIntelligence

ThreatIntelligence

IncidentResponse

Defense-in-depth

KeyPerformance

Indicators

Global Telecommunications Company (>100kemployees)

Global Financial Services (>25k employees)

Global Financial Services (>40k employees)

Global Banking (>80k employees)

Global Medical Device Mfr (>25k employees)


Phased Maturity Requirement

Low Risk Gap Medium Risk Gap High Risk Gap


Service Delivery Framework RSA Program for NextGen SOC

Assess Current

State & Gaps

Design Technical

Architecture

Design & Plan Operations

Upgrades & HealthChecks

Implement & Automate

Operations

Network Monitoring &

Packet Capture

Host Monitoring

Threat Intelligence

Data Loss Prevention

Add Context (Other Asset,

Risk & Security Data)

Optimize Infrastructure (Incl. Cloud &

Big Data)

Enhance Maturity

Program & Project Management, Residencies, Support & Education Services

Customer Transition & Knowledge

Transfer

Strategy Design Implement Operate

Fraud Intelligence


LOW

MEDIUM

High Value Asset

Register

Content Intelligence

Threat Intelligence

Business Continuity

Data Correlation Infected

Media Handling

“Big Data” Analysis

Capabilities

RoE with Press & Media

SIEM Maturity

Triage Documentation

Backup

SOC Analyst

Training

Security Policy

RoE with State and other

Agencies

GRC

Maturity HIGH

DLP Maturity

Quarantine Capabilities

End User

Awareness Training

Analytic

Intelligence


http://community.wyndhamworldwide.com/sites/IA/Resources/Local Settings/Temporary Internet Files/thomadul.RCINJ/Local Settings/Temporary Internet Files/OLK2FC/Documents and Settings/thomadul.RCINJ/Local Settings/Temporary Internet Files/OLK2FC/Bublles


Intel Driven Incident Response Workflow

Intel

Reactive

Predictive


Aligned Roles & Responsibilities

Tier 1 Analysts • Event intake, analysis & triage • SOPs & Analysis • SLA to resolution\escalation

Tier 2 Analysts • Incident intake, analysis & triage • Additional free-form analysis • SLA to resolution\escalation

SOC Manager • Reporting & Metrics • Personnel & Ops Management • Strategy & Planning

Tier 3 Analysts • Advanced & Malware Analysis • Host & Network Forensics • Attribution, cause & origin • Web & E-mail operations

Content Analysts • Workflow automation • Alert & Rule Creation • Correlation & Integration • Report Development • Contextual enrichment

Threat Analyst • Tracking of TTPs • Open source research • Subscription feeds • Threat Validation • Impact Analysis & Attribution


Key Performance Indicators • Establish metrics leveraging existing tools such as:

• Breach exposure time • Time to resolution

• Establish Reporting Templates such as: • Advisory template • Weekly Status updates template • Cyber Threat Alert Template • Cyber Threat Spot Report Template

0

20

40

60

80

100

1234

% of IncidentsClosed

Baseline

0

5

10

15

1 2 3 4

Closure Time (Hours)

Closure Time(Hours)

Mean time to Resolution Incidents Closed by Severity Example


CIRC Dashboard Average Time to Close

– Low – Medium – High

Incident Totals by Month – 3521 DEC, 2012 – 2053 JAN, 2013 – 1579 FEB, 2013 – 2308 MAR, 2013 – 2819 APR, 2013


CIRC Dashboard

• Common Threats


CIRC Dashboard

• Events Per Day


Intelligence Driven Security as Competitive Advantage

Demo

危機 -20

-15

-10

-5

0

5

10

15

20

0 20 40 60 80 100 120 140 160 180 200 220 240

Event Trading Day

Valu

e Re

actio

n TM

(%)

Winner portfolio

Loser portfolio

Source: Oxford Metrica


Summary • Start with the basics (i.e., Top 10 Gaps) • Formalize your Security Operations Program

– Roles & Responsibilities; Documented Processes; etc…

• Automate where possible Goal: Single Pane of Glass for analysts

• Provide analysts with both Threat Intelligence and Context

• Data analytics


THANK YOU THANK YOU

Thank You- Any Questions ?

Advanced Cyber Defense - Dell EMC Germany · Grey Goose Stuxnet Australian . Mining . Taidoor . RBA...

Documents

Transcript of Advanced Cyber Defense - Dell EMC Germany · Grey Goose Stuxnet Australian . Mining . Taidoor . RBA...